Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM detected and removed backdoor.bot - now seeking verification that it's completely gone


  • Please log in to reply
7 replies to this topic

#1 reverseparanoiac

reverseparanoiac

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 February 2011 - 09:03 AM

Hello! I want to thank you in advance for your help. I suppose this is just me being paranoid, but considering this is a backdoor.bot that Malwarebytes picked up yesterday, I just want to make sure that it's been completely removed from my laptop, since this is my main computer and I do most everything on here.

I received one of those pop-up messages yesterday that told me it detected some critical processes running on my computer and that it would like to run a scan of my system. I started task manager and ended Firefox to close all windows (including the pop-up). A scan with Microsoft Security Essentials turned up nothing, but when I ran Malwarebytes, it showed that I was infected with the "backdoor.bot". I had MBAM remove the file, then downloaded the trial version of Kaperskey 2011 AV to get a second opinion. Upon restarting and running both Kaperskey and MBAM again, both scans turned up clean. However, I'm still paranoid that my laptop is still compromised.

Any suggestions?

I'm using a Sony VAIO laptop with Windows 7 OS.

Thanks again!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 28 February 2011 - 01:47 PM

Please post the complete results of your MBAM scan for review (the one which detected the backdoor.bot).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Did you remove Microsoft Security Essentials before installing Kaspersky? Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even if one of them is disabled for use as a stand-alone scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms while trying to use it.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Anti-virus vendors recommend that you install and run only one anti-virus program at a timeYou can always supplement your anti-virus by performing an Online Virus Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 reverseparanoiac

reverseparanoiac
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 February 2011 - 03:44 PM

I've removed Microsoft Security Essentials before installing Kapersky. I've included the MBAM log that detected the backdoor.bot below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5899

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/27/2011 10:55:24 PM
mbam-log-2011-02-27 (22-55-24).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 289963
Time elapsed: 43 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I actually did an internet search, and it seems as if MBAM is pulling up a false positive for the icardagt.exe file as a backdoor.bot. I've included the link to the MBAM forum here:

http://forums.malwarebytes.org/index.php?showtopic=76546

I don't know if this applies to me, since my database version was 5899 at the time of the scan, but updating my MBAM database to version 5906 resulted in a clean scan for me. Do you think this is merely a case of a false positive?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 28 February 2011 - 07:37 PM

Do you think this is merely a case of a false positive?

Yes it appears it was a false detection and it has been corrected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Gliss59

Gliss59

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 February 2011 - 08:16 PM

I've removed Microsoft Security Essentials before installing Kapersky. I've included the MBAM log that detected the backdoor.bot below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5899

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/27/2011 10:55:24 PM
mbam-log-2011-02-27 (22-55-24).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 289963
Time elapsed: 43 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I actually did an internet search, and it seems as if MBAM is pulling up a false positive for the icardagt.exe file as a backdoor.bot. I've included the link to the MBAM forum here:

http://forums.malwarebytes.org/index.php?showtopic=76546

I don't know if this applies to me, since my database version was 5899 at the time of the scan, but updating my MBAM database to version 5906 resulted in a clean scan for me. Do you think this is merely a case of a false positive?



#6 Gliss59

Gliss59

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 February 2011 - 08:29 PM



I also got the same exact results after running Malware. The same exact file.
I quarantined the file .

I ran AVG, scan was clean.
Ran windows Defender
Ran Nornam Malware scan was clean
Ran SpyHunter scan was clean
Ran Avast scan was clean.

I did uninstall AVG whiling running other Ant-Virus Programs. Also shutdown Defender.

I just came upon this post after searching the internet all day. I did run Norman while AVG and Defender were installed and active.

What would be the reason for a false positive??

Upon discovering BackDoor.Bot after running Malware. I also opened Task Manager and looked in applications and Processes for running Backdoor.Bot. They were clean. I then searched the registry, Found no BackDoor Files.

Then I ran other Programs.

Thanks in Advance. I just registered today glad to be a member.

Doug

#7 reverseparanoiac

reverseparanoiac
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 February 2011 - 09:43 PM

I guess sometimes certain keywords or hash numbers/code can bring about false positives.

I was a little quick to delete the file after MBAM found it. Then after updating the database version on MBAM, I ran scanned again, which found nothing. Then came the Kapersky scan, the Adaware scan, the Spybot scan, the Superantispyware scan. Let's just say there was a lot of uninstalling/disabling/reinstalling taking place last night, but all of the scans came up clean, even after reboots and in safe mode.

Needless to say, I was rather confuddled, since every other forum reported that users who got the backdoor.bot had an extremely difficult time removing it.

I'm just glad I came across that MBAM forum and that it turned out to be a false positive. Saves me the trouble of reformatting the computer.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 28 February 2011 - 09:51 PM

These are links to articles which explain false detections and why they occur.All scanning tools are susceptible to glitches, bugs and false positive detections from time to time, especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.

Submitting file samples to the anti-virus vendor for further analysis allows the lab Techs to quickly investigate and confirm if the detection is actually malware. Some security programs have built-in options for submitting a file directly from the quarantined area to the vendor's lab for analysis. Most user guides will explain how to do that. Other anti-virus solutions automatically submit files or provide an alert to do so if you have checked the option to "Submit for analysis in the program's settings. If those options are unavailable, most anti-virus vendors have instructions for sample file submissions posted on their web sites. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus Techs in an attempt to resolve the detection.

Anytime you suspect a file may be a false positive, you can also get a second opinion. Go to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.

Edited by quietman7, 28 February 2011 - 09:58 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users